Wireless presenters easily cracked

While hacking a wireless presenter doesn’t sound like something worthwhile or interesting, [Niels Teusink] demonstrates that these little devices often are a lot more powerful than we give them credit.

With an Arduino, plenty of research, and some heavy sniffing of a wireless presenter’s SPI and then wireless interface [Niels] is able to emulate an entire keyboard. Sending commands as harmless as “next slide” to the devastating “[Win+R] Format C:”. Hopefully anyone planning such a project at the next Apple or Microsoft keynote just intends some gentle fun.

Post navigation

18 thoughts on “Wireless presenters easily cracked”

I can appreciate Niels efforts, and sharing the discoveries online. While I’m not compelled to duplicate his efforts there is something to be learned from the details of his process. Thanks to Niels for posting to his blog, and HaD for pointing us to it.

Furthermore I understand how a wireless keyboard can be a security risk if someone is logging the keystrokes, but the vulnerability of wireless mice and data presenter control is a PIA at worst. The person causing the pain may suffer there own PIA if discovered and his toy is place in there “A” forcefully.
As far as I know the dongle used for wireless devices, other than blue tooth headsets, are receivers only not xceivers,so no data can be gotten from the computer with which the dongle is attached to.
D_

Cool project, very nice to see more peoples’ processes and very well written.

@D_: I’d say that vulnerable data presenters and mousing devices are very vitally important security risk. If injection is possible (by spoofing the transmitter’s identifier, or however any particular vulnerable system can be broken), then malicious keystrokes or mousing events. Files could easily be deleted, or sent over other connections to the attacker’s server. Control of someone’s computer is not just a “PIA” for the victim — it’s a very significant security risk. Though perhaps I’m misunderstanding your argument.

@Frank26080115: It’s a test clip for SOIC packages (that’s what you call that kind of surface mount package). Googling “SOIC Clip” got me this link: http://www.wassco.com/Products/Test-Clip–Narrow-SOIC–SMTC-8-Pin–3M__TMT-650-08.aspx but there are plenty of other manufacturers and variants (pin count, width) to choose from. I was contemplating getting a couple of those myself; I actually have that same USBee unit, and it’d be nice to be able to easily clip onto chips rather than probing the legs by hand.

You say its just a PIA as the dongle can only receive and not xmit, therefore no data can be gleaned. I must disagree.

I may not be able to siphon data through the dongle itself, but if I have console access I can install and execute any malware I damn well want.
That includes getting it to deliver to me any and all data I want dumped to any IP of my choosing the next time its connected to a network.

@charper:
The system’s security is compromised. simply becouse an attacker could use the presenter dongle as a keyboard. so it’s possible to open a terminal and mount a network share. from there on the attacker is in.

The article mentions that an unencrypted mouse interface should not be concerning, but in reality you can do virtually anything with a mouse that you can do with a keyboard in Windows. I have had to use this fact several times in the past when my keyboard quit working or a program stopped responding to keyboard input for some reason but mouse input still worked. First of all, you can copy and paste individual characters from some other document to form any input (assuming the characters you need exist in a document somewhere, alternatively you could use the Character Map). This might take a while for lots of input but perhaps you could enter a “tinyurl” or something quick enough to cause trouble. You can cause plenty of problems with regular mouse actions as well (delete files and then empty the recycle bin; delete important system files; cause general mayhem). It’s naïve to think that it’s safe to let the public take over *any* input, to the computer you’re using publicly in front of hundreds or thousands of people… it’s just too tempting.

@Ryan: I have the same USBee model as the one shown in the article. It’s a pretty solid little module; well built hardware, small size, and fairly well featured. My only real complaint is the fact that the software was Windows only. Looks like they’ve opened documentation for developing Mac and Linux tools, but they haven’t done them themselves (and they’re not currently available). I run it in an XP VM, which works well enough; I don’t really push it to the limits of it’s potential (I’m usually just using it to sniff I2C and UART communications, plus confirm that hardware PWM’s are acting like they’re supposed to), but it’s great for what I need it for. The software actually got updated relatively recently, which is nice — the older version, while it worked, was a little on the buggy side.

There are alternatives that have come out since I purchased mine; a few open source/hardware ones that honestly I’d probably prefer, that may work better or worse, and may be cheaper, but I haven’t worked with any of them so I can’t speak to their quality. If I were you, I would shop around, with the knowledge that the USBee is one good option (as long as you have a Windows dev environment.